Process Hacker bypasses ESS HIPS

Discussion in 'ESET Smart Security' started by Quad, Apr 26, 2013.

Thread Status:
Not open for further replies.
  1. Quad

    Quad Registered Member

    Joined:
    Jan 10, 2013
    Posts:
    47
    Problem description (steps to reproduce):

    1. ESS HIPS enabled (Interactive Mode)
    2. No rules were created for Process Hacker or allowed to do anything, at all.
    2. Process Hacker is running with administrative privileges (run as administrator).
    3. Terminate an application (Tried several installed applications and portables).
    4. ESS HIPS prompts: Terminate/Suspend another application? with Allow/Deny options.
    5. Choose Deny.
    6. Process Hacker was still able to terminate the application.

    Obviously there is a flaw in the HIPS module that's allowing this to happen, and if Process Hacker can do it, then a malware can do it too by exploiting this very same flaw in certain scenarios.

    Notes:

    1. Attempting to start/restart an application via Process Hacker with the same privileges also triggered HIPS but this time when Deny was clicked, it was not able to start it (proper behavior).

    2. Windows Task Manager running with the same administrative privileges as Process Hacker with no HIPS rules as well was not able to terminate an application when I select Deny when HIPS prompts, it's just Process Hacker that was able to bypass the HIPS deny action.

    3. When Process Hacker is run without administrative privileges, it's unable to terminate an application if Deny is selected when HIPS prompts.

    System Info:

    ESS 6.0.316
    Process Hacker 2.30 (r5267)
    Windows 7 x86
     
    Last edited: Apr 26, 2013
  2. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
    thats because Process Hacker uses several low-level techniques, including a driver for an internal kernel function and calls it to terminate malware and rootkits, not only nod32 but any other av can be shutdown once you get admin privileges and the right commands.
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Yeah, with admin privileges it's possible to install a kernel driver in the system. Then it's possible for it to do absolutely everything and there's no way for any vendor to protect against it.
    That's also the main reasons why it's recommended to use standard user accounts for everyday work.
     
  4. ESS3

    ESS3 Registered Member

    Joined:
    Dec 11, 2007
    Posts:
    112
    Windows 7 Ultimate 64 bit :)
     

    Attached Files:

    Last edited: Apr 27, 2013
  5. Quad

    Quad Registered Member

    Joined:
    Jan 10, 2013
    Posts:
    47
    Let me be clear, I'm especially worried about zero-day threats.

    A malware can also gain administrator privileges using certain techniques.

    I didn't allow Process Hacker to load its system driver, yet it was able to terminate any application, except for 'ekern.exe' which restarted itself instantly (<1ms), can we call that a semi-success? Not sure.

    @ESS3, would you please try to terminate another application other than ESET own?

    At any rate, I'll further investigate the issue on my side, and hope ESET will do some on theirs too.

    Thanks all for your responses.
     
Thread Status:
Not open for further replies.